Szczygielka's hacking notes
  • 🚀Welcome
  • 💻Hack The Box Writeups
    • Linux Machines
      • Busqueda
      • Zipping
      • Clicker
      • Pilgrimage
    • Windows Machines
      • Aero
      • Visual
  • 🚩CTFs Writeups
    • KnightCTF 2024
      • OS, Password, IP Addr, Note, Execution, Path of the Executable, Malicious - Forensics
      • Flag Hunt! - Steganography
      • Oceanic - Steganography
      • README - Web
    • TetCTF 2024
      • TET & 4N6 - Misc/Forensics
    • 0xL4ugh CTF 2024
      • Wordpress - 1 - Forensics
      • Wordpress - 2 - Forensics
      • Gamer - 5 - Forensics
    • 1753CTF 2024
      • Resume - Misc
    • UTCTF 2024
      • OSINT 1 - Forensics
      • OSINT 2 - Forensics
      • Contracts - Forensics
      • Survey - Forensics
      • simple signature - Crypto
      • Anti-dcode.fr - Crypto
      • bits and pieces - Crypto
    • RITSEC CTF 2024
      • Curiosity Helped the Cat - Forensics
      • Failed File Transfer - Crypto
      • Dastardly Evil Scientists - Crypto
      • Secret Door - Misc
      • Guess – Reversing
    • Cyber Apocalypse 2024: Hacker Royale
      • Russian Roulette - Blockchain
      • Recovery - Blockchain
      • Primary Knowledge - Crypto
Powered by GitBook
On this page
  • Task
  • Solution
  1. CTFs Writeups
  2. 0xL4ugh CTF 2024

Gamer - 5 - Forensics

Task

Q1 - The attacker scanned a range of IPs, storing the results in a file for exfiltration. What's the full path of the output file, the count of active hosts, and the IP & Port used for exfiltration?

Q2 - The attacker established a new account for persistence. Can you disclose the name of the new account and its creation date, please? TimeStamp (UTC)

Format: 0xL4ugh{FullPath_Count_IP:Port_username_TimeStamp}

Example: 0xL4ugh{C:**\fileName.ext_0_127.0.0.1:1337_HackerAwyyy_DD-MM-YYYY_HH:MM:SS}

Solution

From the content of Gamer - 1 task we know that:

An employee downloaded an unauthorized app on their work PC to play and chat with gamer friends, leading to a malware infection. Utilizing investigative skills, please identify the specific events that transpired in this scenario.

We get Challenge.7z archive:

szczygielka@hacks$ file Challenge.7z 
Challenge.7z: 7-zip archive data, version 0.4

After unpacking we get another archive Image.7z. Let's copy it to a Windows virtual machine and unpack it using 7-zip:

PS C:\Users\Szczygielka\Documents\Image> dir

    Directory: C:\Users\Szczygielka\Documents\Image


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        07.01.2024     10:30                C
d-----        07.01.2024     10:30                LongFileNames
-a----        07.01.2024     10:29         317431 2024-01-07T092714_CopyLog.csv
-a----        07.01.2024     10:29          19607 2024-01-07T092714_SkipLog.csv

We got a C disk content.

Let's take a look at the contents of the run.ps1 script:

The script contains a payload encoded with Base64. Let's decode it using CyberChef:

The content of the payload indicates that this script scans the IP address from 192.168.1.1to 192.168.1.17, checking with the Test-Connection cmdlet whether a given host is online. Test-Connection sends ICMP echo request packets or pings to the host. Host scan results are saved to a file:

C:\Users\Administrator\AppData\Local\Temp\A52148.txt

Then the content of the file is read and encoded to Base64 and sent to the remote host with IP address and port:

172.17.121.9:8080

Let's check the contents of the A52148.txt file to find out which hosts were active:

We can see that only 3 hosts were active. We get all the answers for the first task. Now we have to find information about the creation of a new account in the system.

We find an event that indicates the creation of a new user account:

The username of the new account is:

7amoksha

We have the username of the created account, but we still do not have time of its creation.

In the location SAM\Domains\Account\Users we can find the following information connected with user accounts:

We notice that the account of 7amoksha user was created on 2024-01-07 at 9:16:20. Let's change the account creation format to match the format in the flag:

07-01-2024_09:16:20

Flag:

0xL4ugh{C:\Users\Administrator\AppData\Local\Temp\A52148.txt_3_172.17.121.9:8080_7amoksha_07-01-2024_09:16:20}
PreviousWordpress - 2 - ForensicsNext1753CTF 2024

Last updated 1 year ago

We will use the FTK Imager to analyze its content. This tool can be downloaded from . In the C:\ directory we find a custom directory called T3MP. This directory contains 2 files, which are run.bat and run.ps1.

We can use event logs to find an event of the creation user account. In Windows event logs are stored in C:\Windows\System32\winevt\logs. We can view event logs using Event Viewer. Due to Microsoft event responsible for creating a new user should have ID 4720. This type of event belongs to the category User Account Management. According to information from , events in this category can be logged in Security Log. So let's open the Security Log by theEvent Viewer and let's search for events with ID 4720.

To find the information about the time of the created account we could also use information collected in the register. Information connected with a user account, login information, and group information might be found in the Security Account Manager (SAM) hive. The majority of registry hives are located in the C:\Windows\System32\Config directory, also SAM hive. To view the contents of the registry hive we can use Registry Explorer. This tool can be downloaded from .

🚩
here
documentation
Wikipedia
here